With So Many Unknowns, Cybersecurity Must First Be Tackled Through Dialogue, Panel Says
Until there’s agreement on what cyberthreats are and on what cybersecurity policies or rules are intended to protect against, there’s no need for sweeping treaties, said European Internet Services Providers Association (EuroISPA) President Malcolm Hutty Wednesday. Cybersecurity must safeguard “that which you value,” and that differs widely among governments and other stakeholders, he said at a panel at the U.N. Educational, Scientific and Cultural Organization’s First World Summit on the Information Society+10 review meeting in Paris. Panelists agreed that many questions remain open, but expanding global dialogue on cybersecurity is a good first step.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The cyberthreat landscape has changed in several respects, Hutty said. Services and facilities sought to be protected now range across borders, making it harder for a single country to deal with. Cloud services, which may be in a better position to safeguard cybersecurity than anything else, still face potential threats posed by third parties. And the “bring your own device” culture means organizations don’t necessarily have as much control over parts of their security infrastructure, he said. All these developments can be good things, but they create a security landscape that no one yet fully understands, he said. The real threat is that “mistaken policy” will be made because of that lack of understanding, he said.
Cyberthreats and cyberrisks aren’t the same thing, said Organisation for Economic Co-operation and Development (OECD) Policy Analyst Laurent Bernat. The opposite of risks is benefits, he said. Treating cyberspace as a threat, rather than as the kind of risks businesses make assessments of, limits the way they look at them, he said. Addressing problems as threats fails to see them as just risks and they won’t be dealt with properly, he said.
Based on the principle that cyberspace is one thing worldwide, “the business of cybersecurity is the business of all,” said Moctar Yedaly, who heads the African Union (AU) Department of Communications and Post. The AU believes that the more connected African nations are to the world, the more of a threat they pose to everyone else, he said. And because African networks aren’t well protected, they're suffering attacks from China and elsewhere, he said. The union is now discussing privacy protection and cybersecurity in an effort to harmonize and coordinate policies, something it isn’t doing very well now, he said.
Information-sharing is one piece of the puzzle, several panelists said. The Obama administration recently issued an executive order acknowledging that information-sharing poses a problem in addressing cybersecurity, said Liesyl Franz, of the State Department’s Office of the Coordinator of Cyber Issues. The order directs government agencies to share threat information with the infrastructure sector. It’s not a panacea but a start, she said.
Google wants to share as much information as it can with the cybercommunity, said Policy Counsel Patrick Ryan. While there may not be a common definition of cybersecurity, everyone has a basic idea of what’s bad, he said. Google believes it’s critical to make all information it discovers available to everyone, including rivals, he said. He also recommended that encryption models such as the Secure Sockets Layer protocol be made less expensive so more companies can afford them.
When governments are overwhelmed by perceived or real threats, they tend to build walls to keep them out, and that’s happening now, said Matthew Shears of the Center for Democracy and Technology (CDT). How administrations and others overcome the silo mentality and share information is important to determining how they deal with cyberthreats, he said.
Political and industry awareness levels of cybersecurity may be modest but the fact that U.S., EU and business leaders are talking about it is a first step, said Derek O'Halloran, World Economic Forum USA head of information technology industries. Any policy should take an open, multistakeholder approach, and policies must be interoperable across borders, he said. The cybercommunity also must share best practices relating to skills and competencies, he said.
One audience member suggested a global initiative to regulate data flows along the lines of how goods and services are regulated under World Trade Organization treaties. There are existing legal frameworks applicable to cyberspace that should be used as much as possible for global collaboration, but global regulation “takes forever” and the cybersecurity space moves quickly, State’s Franz said. Given the current level of awareness about the issue, there’s an environment rich for collaboration, but global rules may not be appropriate, she said.
There could be a minimum level of safety and security but that doesn’t necessarily imply a global pact, O'Halloran said. The World Health Organization, financial markets and Interpol are examples of governmental initiatives that don’t rest on treaties, he said.
International trade agreements came about after millennia of trade, OECD’s Bernat said. The history of dealing with “cyberstuff” is very short, he said. A great deal of time and shared culture is needed to resolve the problems, starting with a dialogue aimed at finding a common understanding of some of the issues -- or at least of what to disagree on, he said.
Hutty said he’s skeptical about overarching treaties. Cybersecurity needs to shield “that which you value,” and that differs among the various players, the EuroISPA president said. If players can’t agree on what to protect, they can’t have sweeping agreements on how to protect it, he said. He recommended working with what’s already in place, such as the Council of Europe cybercrime convention.
No one should assume that dealing with these issues on a global level is a silver bullet, CDT’s Shears said. Cyberthreats and security must be managed on the national and regional levels as well, he said. Whatever we do, “we can’t imperil our fundamental human rights.”